Security takes a backseat on Android in update shambles

The majority of Android smartphone users are walking around with insecure devices running out-of-date OS builds, leaving personal and business data at greater risk of attack.

The latest figures from Google's Android developer web site show that 44.4 per cent of users have the latest version of Android (Android 2.3 or later installed) on their devices. A further 1.9 per cent are running developer builds.

That leaves 53.7 per cent running older versions, the majority of which (40.7 per cent of the total userbase) are running Android 2.2 (Froyo). The stats come from users visiting Google's App Store over a fortnight.

A study by application security firm Bit9 found that the sheer complexity of the Android ecosystem - in which updates are distributed in different ways and at different times (if at all) based on manufacturer, phone family, phone model, carrier, and geographic location - has meant security has taken a back seat, leaving smartphone users more vulnerable as a result.

Bit9 looked at the 20 most popular Android handsets from the likes of Samsung, HTC, Motorola, and LG. It found many Android smartphone suppliers launch new phones with outdated software out of the box. To make matters worse, many suffer from tremendous lag times in rolling out updates to later and more secure versions of Android.

Six of the 20 surveyed phones are running Android 2.2, a version that shipped 18 months ago in May 2010. A further seven are running builds of Android that are at least nine months old. Only seven of them were up to date.

The average time between when an update is available from Google and when it is pushed to the phone is 185 days – slightly more than six months. For example, across the Samsung models Bit9 studied, the average lag time is over 240 days (over eight months).

In some cases, the phones are not updated at all as the manufacturers shift their focus to newer models, leaving existing customers stranded with insecure software. In many cases, the only recourse a consumer has, if they want the latest and most secure software, is to purchase a new phone, according to Bit9.

Security nightmare for BOFHs

"Smartphones are the new laptop and represent the fastest emerging threat vector," said Harry Sverdlove, CTO of Bit9. "In our bring-your-own-device-to-work culture, people are using their personal smartphones for both personal and business use, and attacks on these devices are on the rise."

Android smartphone manufacturers are prioritising form and functionality over security, leaving consumers and businesses at greater risk as a result of running out-of-date and insecure smartphone software. The consumerisation of IT, where more people are using their personal devices at work, is putting companies at risk for data leakage and intellectual property theft. Running around with outdated smartphone software is not just bad practice, it creates real security risks.

For example the DroidDream malware, which moved Google to pull at least 50 apps from the Android Market in March and invoke a "kill switch" to remove those applications from more than 250,000 Android users' phones, relied on a specific vulnerability in the operating system that Google fixed in its 2.3 (Gingerbread) release and a point release of 2.2.2 (Froyo).

"The malware itself was delivered as a standard app that users had to choose to install, but its ability to take complete control (root) the phone was dependent on the patch level of the phone," Sverdlove explained.

In August 2011, a vulnerability was discovered that could allow an attacker to hijack the browser. Google fixed this problem in 2.3.5 and 3.1. While no attacks based on the vulnerability have been carried out to date it would be rash to wait until a major attack is underway before patching.

Most minor and major updates of Android include "security updates", and most Android phones come with manufacturer enhancements and third-party components (eg, Java and Flash) as well. Each of those components is equally at risk if they are not properly and regularly updated.

Despite this need for security updates the distribution model adopted by phone manufacturers and their carriers has created a chaotic and insecure environment in which it can take several months for important updates to be distributed, if at all.

"Manufacturers and phone carriers have shown that when they are in the business of owning software updates, they perform poorly," Harry Sverdlove, CTO of Bit9 told El Reg. "Their interest is in selling newer phones and carrier contracts; they are not incentivised to prioritise security for existing phones."

Sverdlove acknowledged there are no easy answers but suggested a number of steps to improve the situation. Much like the PC industry, smartphone manufacturers could relinquish control of the operating system software updates. This process has already been implemented with the Apple iPhone and Google Nexus phone.

Secondly security professionals and consumers need to put pressure on the manufacturers to be more responsible in prioritising security updates. In the meantime, corporations need to evolve to a "secure app store" model and allow only specific devices and trustworthy applications into their environment.

Bit9 does not as yet market services or technology that secures mobile devices. It carried out the research in the interests of raising awareness about what it sees as a growing problem. ®